<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
 <head>
  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  <title>Escape shell metacharacters</title>

 </head>
 <body><div class="manualnavbar" style="text-align: center;">
 <div class="prev" style="text-align: left; float: left;"><a href="function.escapeshellarg.html">escapeshellarg</a></div>
 <div class="next" style="text-align: right; float: right;"><a href="function.exec.html">exec</a></div>
 <div class="up"><a href="ref.exec.html">Program execution 函数</a></div>
 <div class="home"><a href="index.html">PHP Manual</a></div>
</div><hr /><div id="function.escapeshellcmd" class="refentry">
 <div class="refnamediv">
  <h1 class="refname">escapeshellcmd</h1>
  <p class="verinfo">(PHP 4, PHP 5)</p><p class="refpurpose"><span class="refname">escapeshellcmd</span> &mdash; <span class="dc-title">Escape shell metacharacters</span></p>

 </div>

 <div class="refsect1 description" id="refsect1-function.escapeshellcmd-description">
  <h3 class="title">说明</h3>
  <div class="methodsynopsis dc-description">
   <span class="type">string</span> <span class="methodname"><strong>escapeshellcmd</strong></span>
    ( <span class="methodparam"><span class="type">string</span> <code class="parameter">$command</code></span>
   )</div>

  <p class="para rdfs-comment">
   <span class="function"><strong>escapeshellcmd()</strong></span> escapes any characters in a
   string that might be used to trick a shell command into executing
   arbitrary commands.  This function should be used to make sure
   that any data coming from user input is escaped before this data
   is passed to the <span class="function"><a href="function.exec.html" class="function">exec()</a></span> or
   <span class="function"><a href="function.system.html" class="function">system()</a></span> functions, or to the <a href="language.operators.execution.html" class="link">backtick
   operator</a>.
  </p>
  <p class="para">
   Following characters are preceded by a backslash:
   <em>#&amp;;`|*?~&lt;&gt;^()[]{}$\</em>, <em>\x0A</em>
   and <em>\xFF</em>. <em>&#039;</em> and <em>&quot;</em>
   are escaped only if they are not paired. In Windows, all these characters
   plus <em>%</em> are replaced by a space instead.
  </p>
 </div>


 <div class="refsect1 parameters" id="refsect1-function.escapeshellcmd-parameters">
  <h3 class="title">参数</h3>
  <p class="para">
   <dl>

    
     <dt>
<em><code class="parameter">command</code></em></dt>

     <dd>

      <p class="para">
       The command that will be escaped.
      </p>
     </dd>

    
   </dl>

  </p>
 </div>


 <div class="refsect1 returnvalues" id="refsect1-function.escapeshellcmd-returnvalues">
  <h3 class="title">返回值</h3>
  <p class="para">
   The escaped string.
  </p>
 </div>


 <div class="refsect1 examples" id="refsect1-function.escapeshellcmd-examples">
  <h3 class="title">范例</h3>
  <p class="para">
   <div class="example" id="example-3582">
    <p><strong>Example #1 <span class="function"><strong>escapeshellcmd()</strong></span> example</strong></p>
    <div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php<br /></span><span style="color: #FF8000">//&nbsp;We&nbsp;allow&nbsp;arbitrary&nbsp;number&nbsp;of&nbsp;arguments&nbsp;intentionally&nbsp;here.<br /></span><span style="color: #0000BB">$command&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #DD0000">'./configure&nbsp;'</span><span style="color: #007700">.</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'configure_options'</span><span style="color: #007700">];<br /><br /></span><span style="color: #0000BB">$escaped_command&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">escapeshellcmd</span><span style="color: #007700">(</span><span style="color: #0000BB">$command</span><span style="color: #007700">);<br />&nbsp;<br /></span><span style="color: #0000BB">system</span><span style="color: #007700">(</span><span style="color: #0000BB">$escaped_command</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">?&gt;</span>
</span>
</code></div>
    </div>

   </div>
  </p>
 </div>


 <div class="refsect1 notes" id="refsect1-function.escapeshellcmd-notes">
   <div class="warning"><strong class="warning">Warning</strong>
    <p class="para">
     <span class="function"><strong>escapeshellcmd()</strong></span> should be used on the whole
     command string, and it still allows the attacker to pass
     arbitrary number of arguments. For escaping a single argument 
     <span class="function"><a href="function.escapeshellarg.html" class="function">escapeshellarg()</a></span> should be used instead.
    </p>
   </div>
 </div>


 <div class="refsect1 seealso" id="refsect1-function.escapeshellcmd-seealso">
  <h3 class="title">参见</h3>
  <p class="para">
   <ul class="simplelist">
    <li class="member"><span class="function"><a href="function.escapeshellarg.html" class="function" rel="rdfs-seeAlso">escapeshellarg()</a> - Escape a string to be used as a shell argument</span></li>
    <li class="member"><span class="function"><a href="function.exec.html" class="function" rel="rdfs-seeAlso">exec()</a> - Execute an external program</span></li>
    <li class="member"><span class="function"><a href="function.popen.html" class="function" rel="rdfs-seeAlso">popen()</a> - 打开进程文件指针</span></li>
    <li class="member"><span class="function"><a href="function.system.html" class="function" rel="rdfs-seeAlso">system()</a> - Execute an external program and display the output</span></li>
    <li class="member"><a href="language.operators.execution.html" class="link">backtick operator</a></li>
   </ul>
  </p>
 </div>

</div><hr /><div class="manualnavbar" style="text-align: center;">
 <div class="prev" style="text-align: left; float: left;"><a href="function.escapeshellarg.html">escapeshellarg</a></div>
 <div class="next" style="text-align: right; float: right;"><a href="function.exec.html">exec</a></div>
 <div class="up"><a href="ref.exec.html">Program execution 函数</a></div>
 <div class="home"><a href="index.html">PHP Manual</a></div>
</div></body></html>
